On Tue, Oct 26, 2010 at 11:40:49AM +0200, Laurent CARON wrote:
> Oct 26 11:34:06 sargon postfix/smtpd[23238]: SSL_accept:SSLv3 write
> certificate request B
> Oct 26 11:34:06 sargon postfix/smtpd[23238]: SSL_accept:SSLv3 flush data
> Oct 26 11:34:06 sargon postfix/smtpd[23238]: SSL_accept error from
> unknown[192.168.14.249]: -1
> Oct 26 11:34:06 sargon postfix/smtpd[23238]: lost connection after STARTTLS
> from unknown[192.168.14.249]
The client disconnected. To find out why, check for A/V software on the
client or firewalls, etc, that may interfere with the SSL sesssion. Also,
see whether the client supports STARTTLS on 587, rather than the obsolete
SMTP inside SSL on 465. Perhaps, less likely, the client did not like
the server certificate.
> smtpd_banner = $myhostname SMTP
> smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtpd_tls_CApath = /etc/ssl/certs
> smtpd_tls_ask_ccert = yes
Consider turning this off, unless you really make use of client certs,
the client may not have a cert, and may give up for that reason.
> smtpd_tls_cert_file = /etc/postfix/certs/mail_lncsa_com.crt
> smtpd_tls_key_file = /etc/postfix/certs/mail_lncsa_com.key
> smtpd_tls_loglevel = 2
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_cache
Looks good. Works on port 587:
smtp-finger: initializing the client-side TLS engine
smtp-finger: Connected to mail.lncsa.com[213.215.28.11]:587
smtp-finger: < 220 sargon.lncsa.com SMTP
smtp-finger: > EHLO hqmtaint01.ms.com
smtp-finger: < 250-sargon.lncsa.com
smtp-finger: < 250-PIPELINING
smtp-finger: < 250-SIZE 10240000
smtp-finger: < 250-ETRN
smtp-finger: < 250-STARTTLS
smtp-finger: < 250-ENHANCEDSTATUSCODES
smtp-finger: < 250 8BITMIME
smtp-finger: > STARTTLS
smtp-finger: < 220 2.0.0 Ready to start TLS
smtp-finger: setting up TLS connection to mail.lncsa.com[213.215.28.11]:587
smtp-finger: mail.lncsa.com[213.215.28.11]:587: TLS cipher list
"aNULL:ALL:+RC4:@STRENGTH:!eNULL"
smtp-finger: looking for session
sargon.lncsa.com&p=1&c=aNULL:ALL:+RC4:@STRENGTH:!eNULL in local cache
smtp-finger: SSL_connect:before/connect initialization
smtp-finger: SSL_connect:SSLv2/v3 write client hello A
smtp-finger: SSL_connect:SSLv3 read server hello A
smtp-finger: mail.lncsa.com[213.215.28.11]:587: certificate verification
depth=1 verify=1 subject=/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global
eBusiness CA-1
smtp-finger: mail.lncsa.com[213.215.28.11]:587: certificate verification
depth=0 verify=1 subject=/C=FR/O=mail.lncsa.com/OU=GT77022724/OU=See
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
RapidSSL(R)/CN=mail.lncsa.com
smtp-finger: SSL_connect:SSLv3 read server certificate A
smtp-finger: SSL_connect:SSLv3 read server key exchange A
smtp-finger: SSL_connect:SSLv3 read server certificate request B
smtp-finger: SSL_connect:SSLv3 read server done A
smtp-finger: SSL_connect:SSLv3 write client certificate A
smtp-finger: SSL_connect:SSLv3 write client key exchange A
smtp-finger: SSL_connect:SSLv3 write change cipher spec A
smtp-finger: SSL_connect:SSLv3 write finished A
smtp-finger: SSL_connect:SSLv3 flush data
smtp-finger: SSL_connect:SSLv3 read server session ticket A
smtp-finger: SSL_connect:SSLv3 read finished A
smtp-finger: save session
sargon.lncsa.com&p=1&c=aNULL:ALL:+RC4:@STRENGTH:!eNULL to local cache
smtp-finger: mail.lncsa.com[213.215.28.11]:587 CommonName mail.lncsa.com
smtp-finger: mail.lncsa.com[213.215.28.11]:587: Trusted
subject_CN=mail.lncsa.com, issuer_CN=Equifax Secure Global eBusiness CA-1
smtp-finger: mail.lncsa.com[213.215.28.11]:587 sha1 fingerprint
FA:5C:CD:6F:BB:23:ED:5D:82:D7:8F:E9:83:6A:EA:3D:DC:16:DB:DA
smtp-finger: Trusted TLS connection established to
mail.lncsa.com[213.215.28.11]:587: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
---
Certificate chain
0 s:/C=FR/O=mail.lncsa.com/OU=GT77022724/OU=See www.rapidssl.com/resources/cps
(c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.lncsa.com
i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
-----BEGIN CERTIFICATE-----
MIIDzTCCAzagAwIBAgIDCrGoMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDkwMjExMDkzODAxWhcN
MTIwNDEyMDgzODAxWjCBuDELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDm1haWwubG5j
c2EuY29tMRMwEQYDVQQLEwpHVDc3MDIyNzI0MTEwLwYDVQQLEyhTZWUgd3d3LnJh
cGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA5MS8wLQYDVQQLEyZEb21haW4g
Q29udHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEXMBUGA1UEAxMObWFpbC5s
bmNzYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF1Y+Xlk4R
aH9pcOqj54llBOmW97SUHwq5JLBGlb50TdUgupDTtYmh6GEEBJTyPI4YFI3NqdOz
QCwtOEkvspIr+LA2acgoRX2fs5uERhzSgTMEVspxMRkhuBN5xH9D/2sm+MyR0ffv
0Wbky6wQRsjgsn/Wu2ALr6Ix03xcZMj6UWcdaFNyfi9TSXc4MY7x6V0hLWYGAXzx
/OcvWM5q022uuxaboyJaBvr98L9QYEuLSsLgZlT0A1WPG/Rg58HoEkLdc+jBj8Dv
cpyZwg01wF1sY90sfvc5/F/hG/4YLzW8AumYjUBJjZV3imJTCP0efOpYS1f8F1DC
FlDxvhcjAE8PAgMBAAGjgb0wgbowDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBSk
S1xisuqoSPpFyMELw7tcp5aiiTA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2dsb2JhbGNhMS5jcmwwHwYDVR0jBBgwFoAUvqig
dHJQa0S3ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAKezlAZFK+HwwFa1XmuJ4
ac1onbRxoJvooGzwU/oryRU6yj0yk7FW03CF4ib9f6I9uHOOYMzPJsBv6ZeS4SBD
pcNykmsinCP7WnlGVPBHXUNU+FIwOfBwJ0SraAGswjwmy4GA6WRsulu/RhmQZyqM
+3ynaf9gqn8oRCd/I4FJ+GM=
-----END CERTIFICATE-----
1 s:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
-----BEGIN CERTIFICATE-----
MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEc
MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBT
ZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIw
MDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2Vj
dXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l
c3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuucXkAJlsTRVPEnC
UdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc
58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/
o5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAH
MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1dr
aGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA
A4GBADDiAVGqx+pf2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkA
Z70Br83gcfxaz2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv
8qIYNMR1pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV
-----END CERTIFICATE-----
> smtpd_use_tls = yes
The non-deprecated syntax is:
smtpd_tls_security_level = may
--
Viktor.
